All true, but it’s not a completely invalid question. What people want from libcurl and what libcurl gives aren’t exact matches. It’s not the fault of libcurl that input validation wasn’t done, but the fact that such mistakes keep recurring suggests that even if we don’t want to reevaluate the design of the library, we should reevaluate the decision to use it in these scenarios.

Or to rephrase, why do these mistakes keep happening? Or more exactly, why don’t people know they need to validate libcurl inputs?

I certainly think that difficult interfaces can and should be rethought (libtls is a great example of this). Sane defaults are also very important. In addition, software generally tends to only grow in features and complexity over time (I mean, libcurl supports POP3, LDAP, and SMTP? Kinda weird!).

I imagine the world would be well served by a cleaner interface for libcurl, or even just better defaults (maybe CURLOPT_PROTOCOLS set to HTTP/HTTPS by default instead of CURLPROTO_ALL).